Skip to main content

Oracle REST Data Services CVE-2026-46843

| EUVDEUVD-2026-33021 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-28 oracle GHSA-5g7w-gjx9-g73q
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:30 vuln.today

DescriptionCVE.org

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

AnalysisAI

Partial denial-of-service in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to degrade availability of the Core component via HTTPS. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the vulnerability is trivially reachable with no authentication, no user interaction, and no special conditions, making automated scanning and opportunistic exploitation straightforward despite the limited availability-only impact. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Oracle disclosed this through its May 2026 Critical Patch Update.

Technical ContextAI

Oracle REST Data Services (ORDS) is Oracle's middleware layer that exposes database resources as RESTful web services over HTTPS, commonly deployed in front of Oracle Database and Autonomous Database environments. The affected component is 'Core', which handles foundational request processing. The CPE string (cpe:2.3:a:oracle_corporation:oracle_rest_data_services:*:*:*:*:*:*:*:*) confirms the vulnerability spans the entire product line across the listed version range. No CWE classification was provided by Oracle or NVD, which is consistent with Oracle's standard practice of withholding root-cause details; the partial availability impact (A:L in CVSS) and the lack of confidentiality or integrity impact (C:N/I:N) suggest the flaw likely involves resource exhaustion, malformed request handling, or an uncontrolled processing loop in the Core request pipeline rather than memory corruption or injection.

RemediationAI

Upgrade Oracle REST Data Services to a version beyond the affected range (24.2.0-26.1.0) per the Oracle Critical Patch Update for May 2026, available at https://www.oracle.com/security-alerts/cspumay2026.html. An exact fix version number is not specified in the provided intelligence data - consult the full CPU advisory and Oracle Support for the precise patched release applicable to your deployment. As a compensating control pending patching, restrict network access to ORDS HTTPS endpoints at the perimeter or load balancer layer to known, trusted client IP ranges; this directly counteracts the AV:N attack vector and eliminates remote exploitability for unauthorized sources, with the trade-off of potentially disrupting legitimate external API consumers. Rate-limiting inbound HTTPS connections to the ORDS listener can reduce the impact of any availability-targeted abuse without requiring a network block. Web Application Firewall (WAF) rules inspecting malformed or anomalous HTTPS request patterns toward ORDS endpoints may provide additional mitigation, though rule specificity is limited without a published CWE or request pattern for this vulnerability.

Share

CVE-2026-46843 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy